Using Security Controls

Authentication

All site interaction from page containing the login form to the page confirming logout (inclusive) must use SSL.

TBD

AU002

All requests for pages that require authentication shall call the ESAPI.authenticator().login() method.

TBD

AU003

The application shall provide the user with a logout link on every page that invokes the ESAPI.authenticator().logout() method.

TBD

AU004

Form fields used for passwords must use type=password to mask the password from view.

TBD

AU005

The application shall never put passwords into HTML, including repopulating form fields.

TBD

AU006

The application shall use the FIXME to set a "remember me" cookie for automatic authentication, but only if a user specifically authorizes it.

TBD

AU007

The application shall include Javascript in all pages that protects against being nested or framed in other websites.

TBD

AU008

The application shall reauthenticate users with User.checkPassword() before allowing access to sensitive transactions.

TBD

AU009

Link and form URLs for all transactions shall be updated with the HTTPUtilities.addCSRFToken() method to add a CSRF token.

TBD

AU010

All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken() method to check that the request is not forged.

TBD

AU011

Account creation and registration functions should protect against automated tools.

TBD

AU012

The application shall generate strong passwords for users with the Authenticator.generateStrongPassword() method.

TBD

AU013

The application shall verify the strength of any user provided password with the Authenticator.verifyPasswordStrength() method.

TBD

AU014

The application shall verify the strength of any user account name with the Authenticator.verifyAccountNameStrength() method.

TBD

AU015

The application shall display information upon login about the last successful (User.getLastLoginTime()) and last failed (User.getLastFailedLoginTime()) login date and time.

TBD

Session Management

ID

Requirement

Code Example

AC001

Only the container provided JSESSIONID should be used as a session identifier.

TBD

AC001

Every page should contain an obvious link to the logout function.

TBD

AC001

The JSESSIONID and any other session identifiers must never be disclosed in links, html content, log files or any other storage.

TBD

AC001

The JSESSIONID and any other session identifiers must never be used as an identifier for any other purpose.

TBD

AC001

URL rewriting must never be enabled.

TBD

AC001

Call ESAPI.authentiator().logoff() to end the user's session.

TBD

Access Control

ID

Requirement

Code Example

AC001

The application shall use assertAuthorizedForURL() to verify authorization before allowing access to each URL.

TBD

AC002

The application shall use assertAuthorizedForFunction() to verify authorization before allowing access to each business function.

TBD

AC003

The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files.

TBD

AC004

The application shall use assertAuthorizedForData() to verify authorization before allowing access to data.

TBD

AC005

The application shall use assertAuthorizedForService() to verify authorization before allowing access to each backend service.

TBD

AC006

The application shall use isAuthorizedFor* methods to verify authorization before including user interface controls in HTML output.

TBD

AC007

The application shall use AccessReferenceMap.getIndirectReference() to reference all application objects such as filenames, directory paths, and database keys.

TBD

AC008

The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as WEB-INF.

TBD

AC009

The application shall use HTTPUtilities.sendSafeForward() for all forwards, to ensure that they cannot be used to bypass access checks.

TBD

AC0010

The appplication must use only trusted data used in access control decisions.

TBD

AC0011

Administrative functions for the application shall be deployed as a separate application with increased authentication controls.

TBD

Input Validation

ID

Requirement

Code Example

AC001

The application shall avoid the use of hidden fields.

TBD

AC001

The application shall avoid the use of custom cookies or other HTTP headers.

TBD

AC001

The application shall add all custom cookies with ESAPI.httpUtilities().safeAddCookie() or ESAPI.httpUtilities().safeSetCookie() to ensure they are properly secured.

TBD

AC001

The application shall perform validation at the boundary of all major application components.

TBD

AC001

All input must be validated against a strict whitelist pattern using the Validator.* methods before used.

Use the [Encryptor.encrypt()] method to encrypt and the [Encryptor.decrypt()] method to decrypt all sensitive information before storing.

TBD

AC001

Use the [Encryptor.hash()] method to generate message digests for integrity purposes.

TBD

AC001

Data that expires after an elapsed time should be generated with the [Encryptor.seal()] method and verified with the [Encryptor.verifySeal()] method.

TBD

AC001

The application shall use to

TBD

AC001

The application shall use to

TBD

| Forms containing sensitive data should include the "autocomplete=off" attribute on the FORM tag as well as individual form elements.
| The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc…

Using Services Securely

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Error Handling

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Logging and Intrusion Detection

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Secure Configuration and Deployment

ID

Requirement

Code Example

SC001

Production code shall not contain code not intended for use, such as debug, test, and dead code.

TBD

SC002

The application's source code shall not contain secrets that would compromise security if disclosed.

TBD

SC003

The application team shall run code quality tools such as FindBugs and PMD to find quality problems.

TBD

Avoiding Specific Risks

Cross Site Scripting

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Cross Site Request Forgery

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Thread Safety Problems

ID

Requirement

Code Example

AC001

The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code.

TBD

Denial of Service

ID

Requirement

Code Example

AC001

The application shall use to

TBD

Banned APIs

The following calls are dangerous and should be replaces with the safer calls provided by ESAPI.